The triennial changing of the guard is here once again for the 2021 CISSP exam syllabus!
In case you haven't seen it, I already have a complete YouTube video on the 2018 CISSP exam syllabus as compared to the new 2021 CISSP exam syllabus including all the new topics here:
If you are just starting out studying for the CISSP, please read this previous blog post if needed:
Are There a Lot of New Changes?
As with every milestone change to the syllabus from the ISC2, the changes are not that drastic. Yes, there are new topics added that was not in the old syllabus, but they do not shake the very foundation of the exam in May 2021. Learning your concepts and understanding how to apply the high-level subject matter to security situations is still the most important thing to learn.
What Are the New 2021 CISSP Exam Topics?
This is probably the only reason you are reading this post. Just want to note that these have been my observation while comparing the 2018 and 2021 ISC2 official syllabus. There are instances where some of the topics may not seem "new", but they were in the syllabus in 2021, but not in 2018, so probably they have more emphasis this time around. But really, who knows? Nobody. The CISSP exam has always been and will remain a mystery. Just because these are the new topics doesn't mean these are the only things you should really focus on; the exam doesn't work like that. You still have to make sure to study everything in the syllabus and beyond. Below are some resources to find more information on the new exam topics:
I have released a series of videos on May 1, 2021 for the Members Portal on 7 of the new topics for the upcoming CISSP exam. These include:
Investigation Types
Kerberos Exploitation
Li-fi
Just In Time Access
Breach Attack Simulation
User and Entity Behavior Analytics
Security Orchestration, Automation, and Response
In the following months I should be adding more videos on new topics along with practice questions and flashcards as I learn more about them.
Legendary CISSP instructor Clément Dupuis has released a quick summary of all CISSP topics in PDF form here: CISSP CBK MAY 2021 UPDATE - HOLISTIC STUDY GUIDE
Check out this recorded webinar at timestamp 34:43: https://youtu.be/K2EE7mcaNoA
And the one with Mike Chapple here: https://youtu.be/ERi6uB6qyHQ
Domain 1
Understanding requirements for investigation types
Domain 2
Location of data in terms of managing the data lifecycle
Data protection methods (DRM, DLP, CASB)
Domain 3
Provision resources securely
Zero Trust
Privacy by Design
Trust But Verify
Microservices
Containerization
Serverless
Embedded Systems
High-Performance Computer Systems
Edge Computing Systems
Pass The Hash
Kerberos exploitation
Domain 4
Converged protocols (FCoE, iSCSI, VoIP)
Micro-segmentation, VXLAN, SD-WAN
Wireless networks (Li-Fi, Wi-Fi, Zigbee, satellite)
Domain 5
Just-In-Time Access (JIT)
Risk-based access control
Domain 6
Breach attack simulations
Compliance checks
Domain 7
Threat Intelligence
User and Entity Behavior Analytics
Perform Configuration Management
Software Assurance Maturity Model (SAMM)
Tool sets
Domain 8
Integrated Development Environment (IDE)
Continuous Integration and Continuous Delivery (CI/CD)
Security Orchestration, Automation, and Response (SOAR)
Static Application Security Testing
Dynamic Application Security Testing
Impact of Acquired Software
Software-defined security
Can We Still Use Our Old Books?
Yes, 100% you can, and you should, even if you also buy the newer books.
Just look at all these CISSP books:
Some of these books are 500 to 1000 pages long.
Let me ask you: what industry or certification have you seen where books this large, this voluminous, have been written, and then in one or two years those books were completely obsolete and new ones were written for a completely new exam?
None that I can think of.
I was studying for my CCNA last year, and was still using the old CCNA books from 2014 to learn and refresh myself about OSPF, BGP, and routing in general. Those kinds of things suddenly don’t just drastically change.
For the CISSP exam, let me show you something else, some hard evidence of what I’m talking about. Everybody likes evidence when proving a point right? Right….
I mean, without some sort of hard undeniable evidence in this blog post, then I’m just some guy expressing his opinion (there's too much of that going around already). I’d be just some guy writing a CISSP blog with absolutely no evidence of what I’m talking about. That’s not going to fly with you guys, I know that. I have to prove myself. I’m here to provide irrefutable facts to better help you make a judgement on what to do for the May 2021 CISSP exam.
A veteran of CISSP certification instruction, I noticed a few things over the years. For example, take a look at a page from the Shon Harris 3rd Edition about the steps of the BCP/DRP process:
7 blocks of quick text going over the "Process components of developing a business continuity plan".
Now check out the Shon Harris 7th Edition:
Do you notice any major changes? Not really. It's the same material pretty much except for some slight modifications in the text.
Last one, check out the Shon Harris 8th Edition:
Any major differences? Not really. Same graphic, same concepts, even though the 8th Edition book was released around 15 years after the 3rd Edition.
Feel free to keep using your old books. Not to mention, as of today February 22, 2021, there has not been any marketing promotions of an upcoming CISSP book that would address any of the new changes we are about to mention.
All your old CISSP books are not going to suddenly be useless. They're expensive and well-written, you don't have to get rid of them! Feel free to use your current and old CISSP books for the new May 2021 exam (right now you don't have any other choice).
Do I Have to Buy the New Books?
Because I don’t want to tell you how to spend your money, this is a personal financial decision, but I think most people would be better off with the new books if they can afford to get them.
These books aren’t cheap. The Sybex and Shon Harris books I think they break like $40 or even $50 or something like that. It’s a lot of money, I don’t care what part of the world you live in. Whether you’re a wealthy businessman from Singapore or a systems administrator from Bangalore, $50 is still a lot of money for an information security book. If you can afford it, go for it. Otherwise, you should be kind of okay with the old books as long as they are at least some recent editions.
Let me just provide the PROS and CONS of each, and you can decide.
Here are some PROS:
Reading the old books even after you buy the new books is a good way to see how the old things were done, and how the new way is currently being done.
Observing the evolution of a technology as it overtakes each of the advancements of its predecessors is a fantastic learning tool. That’s the reason why the cryptography chapter of our CISSP books goes into the history of cryptography, like all that Caesar Cipher, Scytale cipher, and Alan Turing World War 2 stuff. It’s important to understand the history of cryptography in order to understand the future of it with topics like quantum computing or artificial intelligence.
That’s really the mark of a security professional. If you know the current trend, but also if you know why the current trend IS the current trend and why it’s no longer the old trend.
If you have your old books and the new editions of them, read ‘em both. Just to see how they compare, just to note the differences. It’s a good thing.
Another good thing about using our old books is that, suppose after the initiation of the new May 2021 exam, the 9th Edition comes out and it talks about how it addresses all the new topics of the CISSP exam.
And you’re like “Well gee, all I have is the 8th Edition, and my financial situation isn’t really making it possible for me to buy the new 9th edition.”
In this situation, what does it make the future Certified Information System Security Professional do? It makes them more resourceful. They are armed with two things now: their old books, and the knowledge that there are new topics in the new book. Even though they don’t have the new book. What starts now is a series of multiple Internet searches in order first figure out what the new topics are in general, and then to figure out how the topics are discussed in the new books.
Now the CISSP study guides aren’t going to be the only books that talk about the new topics in the upcoming CISSP exam. You have other CISSP instructors scouring the web or anything else to see and figure what the new CISSP topics are. I’ve said it before, there has never been a better time to pass your CISSP exam than now. There are more books, more practice questions, and more CISSP instructors around to help you.
And I’ll keep it real with you too, yes, we do it to keep everyone informed, but as CISSP instructors we also want to be the FIRST to give it to you. Plain and simple. It’s greed. It’s pride. It’s honor. It’s trying to be the first, it’s human nature almost. I find myself doing it too…but, over the years doing this CISSP thing, I’ve found it is just best to wait until all the information is out instead of just pushing out the preliminary information.
You will find the information on the new CISSP topics even without buying the new edition book. You will find it due to your own ingenuity and resourcefulness because you aren’t leaving anything to chance, you aren’t leaving any stone unturned on your journey to pass the CISSP exam.
Okay? So even if you are unable to buy the new edition books, you should be okay with the old ones, given they are not really old editions quite yet. Any new topic you want to learn more about, people will provide the information over the Internet (and please make sure they are credible sources).
That parlays into our next question:
Is the Exam Going to be Completely Different?
Short answer, no.
It’s still the CAT exam, the computer adaptive test, for which you have 3 hours and probably a maximum of 150 questions.
You can go all the way up to 150 questions, but if the CAT algorithm determines you have shown what it takes to be a CISSP, it may even stop you at 100 questions.
User experience may vary.
Is the Exam Going to be More Technical?
Is the exam going to be more technical?
A question that many are painfully wishing is a solid no.
Is the new May 2021 CISSP exam going to be more technical than high-level?
The answer is: I don’t know. Nobody knows the contents of the real CISSP exam and even if they do, they are not allowed to talk about it due to the NDA.
If you hear anyone talking about the details of the exam and what questions or what TYPE of questions are on there, then be your high-grade full of integrity security professional self and extract yourself out of that conversation, or change the subject, or if you want like I do, tell them this discussion should not be taking place.
Don’t allow your integrity to waver even for a second, no matter the circumstances. We are security professionals, we can’t give in even a little bit, not even an edge of complacency when it comes to our integrity.
Because if we do, well, then it’s all over. Then you can’t trust anyone anymore, and we’ll just live in a world where we’re suspicious of everyone.
You can make a difference just by maintaining your integrity. Sooner or later, someone is going to see that you are a professional and they will want to be just like you, someone honest, vigilant, unwavering in their commitment, a true professional.
Is the new exam going to be more technical than high-level? I’ll just say this: the new syllabus has shown more technical topics to understand, that is for sure. Things like Kerberos exploitation, containerization, or pass the hash… the technical elements are there.
But does that mean the new exam is going to be an all-around more technical exam?
The ISC2 still calls the CISSP a certification for “security practitioners, managers, and executives”.
It doesn’t say anything about the exam for “network security engineers, security architects, or software programmers.”
The exam is still a high-level exam. But you still have to know the technical knowledge, especially from Domain 4: Network Security. Not that you will get specifically tested on the minutia of technology, but that you may need to understand it in the context of the question, in order to choose the correct high-level answer. See what I’m saying?
You need to know the technical terminology in a question, in order to choose the choice that is high-level when thinking like a manager. You need to be technical to understand what the question or choices are talking about.
I wrote an entire book about "How To Think Like A Manager for the CISSP Exam" available on Amazon Kindle/Paperback . But if you are unable to purchase it due to financial or geographic constraints, just watch this video I made on YouTube, it should be just about the same thing:
Should I Reschedule My Exam or Take It Before May?
This requires a thorough understanding of not just where you are at as far as your studies, but where you are at in your LIFE.
We can just breakdown some ways to come up with your decision to take the exam soon, or delay until May.
MARCH
If it’s March, then this really is the time that a hard and confident decision has to be made. You are either going to take it soon, or you are going to wait until after May. There is no other choice. Here are just some of my checks to see if you should just take it before the new exam is in effect:
You have read the Sybex 3 times cover to cover
You have read the Shon Harris book cover to cover at least once
You have taken at a minimum 3,000 practice questions
You have an extensive resource of PDF notes at your disposal to constantly and consistently flip or scroll through
You have watched at least 40 hours of CISSP videos across various domains
You have completed and are now reviewing your handwritten notes
If you truly feel like you have studied as much as you can, then now is the time. Take the exam before May if you don’t want to feel the agony about the unknown factor of taking an exam for which there are new topics
You just want to be tested on what you studied, not the new stuff. At least this way you have the comfort of knowing what you have studied is aligned more with the current exam instead of the new one
This link may also help you determine if you are almost ready for the exam:
APRIL
If the month is April now and you have 1 month left until the new exam…it’s the same thing as March, but with more intensity.
Let me just say this: if your whole life for the last few months, from waking moment to sleeping late at night, if the CISSP has been your entire life for months, then book that exam before May, don’t waste all the effort.
If you feel like you are halfway done, or could use some more practice questions to boost yourself from 3,000 questions to now at least 5,000 – hold off on the exam, take it after May.
This way, you can account for the new topics while also studying the topics you still have not gotten to yet.
MAY
And if it’s May, well…it’s zero hour. Time to cross the Rubicon. You got to take the new exam.
You guys want to talk about anything else?
How about going over a CISSP practice question…shall we?
Everybody loves doing that. Can’t get enough CISSP practice questions and analysis……right?
Right…
Practice Question
You're going to read a lot of articles and watch a lot of videos that go over the new CISSP topics and provide you all the information you need. But I want to add a little bit more value and also provide a practice question on a new CISSP topic as well.
Which choice encompasses the ability to reduce the time a malicious insider has to gain access to privileged accounts?
A. Timed privilege elevation
B. Brokered access
C. On-Demand accounts
D. Just-in-Time access
Let me just go ahead and start off by giving the answer, the correct answer is D!
Just-In-Time Access
Just-in-Time access “encompasses” all the other choices. Choice A, B, and C are forms of Just-in-Time Access. And just coincidentally, Just In Time Access is also a new topic in the May 2021 ISC2 CISSP Exam. It is my obligation as a CISSP instructor to provide a practice question regarding the new addition.
What exactly is Just-in-Time access?
It’s elevating the access privileges of a user for a specific period of time. As in, you don’t get access to the file server all the time, you only get it when you need it. It’s a pretty neat idea.
Say a client dropped a file for you on a network shared location and you needed to retrieve it. With just regular standing access, you can access it anytime. The downside is, if your computer is compromised, the attacker can access it anytime as well. If you had Just-in-Time access, an attacker would have to specifically carry out a lateral move to the file server after compromise only between 3pm and 5pm. A compromise is still possible, but wow does it reduce the chances!
I find it an amazing security procedure. You only get access for the amount of time that you need it for, not all the time. Information security innovators are so smart, I am so proud to be in this industry around such brilliance.
Timed Privilege Elevation
For Choice A, timed privilege elevation is a form of Just-in-Time access which increases a user’s privileges and rights for a given time, and removed when that time is over. Say they’ll get access to files only from 3pm to 5pm, as stated earlier.
Brokered Access
For Choice B, brokered access means a middle-man or middle-interface (like a server vault) provides access to the user after a business justification is provided.
So not only are you on a time limit to access a resource, you also have to provide a reason for accessing it.
Pretty AWESOME. Humans it seems are capable of solutions to every problem.
On-Demand Accounts
And for Choice C, user accounts are specifically provisioned to access a resource, and then terminated or deprovisioned forever. In our current day, the idea is you create a user account and keep it open forever until the user leaves the company. But with Choice C, it is a temporary provisioning.
An elegant solution for a more advanced age.
During this time of CISSP exam changes I am also asked whether my CISSP Members Portal will have updated course content explaining the new content as well as enforce knowledge through the use of practice questions, flashcards, and PDF notes. The truth of the matter is, I never stop creating CISSP content, I haven't stopped in 6 years - this is my thing. I am always creating CISSP videos whether on the old topics or the new. The Study Notes and Theory Members Portal gets new content every month, or as long as I can keep doing this thing. I will do my best to make the new topics a priority because I know you are going through a lot of stress and pressure for this exam.
Good luck on the exam. I just know you're going to pass and become a great information security professional for this world.
Keep in mind: Why The CISSP Is Worth It